Pressure builds to improve election cybersecurity

Congressional efforts to secure election systems from cyberattacks are picking up steam with lawmakers under pressure to prevent hacks in the 2018 midterms.

After the revelation that Russia tried to probe election systems in 21 states in the 2016 election, security experts, state officials and others demanded federal action to help states upgrade outdated voting machines and bolster security around voter registration databases.

Last week, a bipartisan coalition of six senators introduced the Secure Elections Act, which includes a measure authorizing grants for states to upgrade outdated voting technology and shore up their digital security.

{mosads}

“It is imperative that we strengthen our election systems and give the states the tools they need to protect themselves and the integrity of voters against the possibility of foreign interference,” Sen. James Lankford (R-Okla.), a Senate Intelligence Committee member, said when unveiling the bill.

Moscow’s targeting of state systems, including breaching voter registration databases in Arizona and Illinois, was part of a broader effort to meddle in the election. It led the Obama administration to designate election systems as critical infrastructure in its waning days.

The issue of Russian interference has generated significant attention in Washington over the past year, but little successful legislative action.

But the bill introduced by Sens. Lankford, Amy Klobuchar (D-Minn.) and others is evidence of a growing effort to pass legislation specifically addressing voting infrastructure cybersecurity.

The bill comes as state officials are clamoring for swifter action ahead of the 2018 midterms.

“When we had instances last year all over the country related to people trying to get into other peoples’ data and voter files – why are we waiting for something bad to happen to start doing something about it?” said Arizona Secretary of State Michele Reagan (R).

“Let’s be honest, it’s not going to happen if we all stay quiet about it,” Reagan added.

Advocacy groups are lining up in support of the bill. They hail it as a long-awaited, multifaceted approach that both incentivizes states to bolster voting system cybersecurity and provides resources to replace insecure election technology.

“There needs to be more urgency,” said Rudy Mehrbani, a senior counsel at the Brennan Center for Justice, a left-leaning public policy institute that supports the bill. “There [are] only a limited number of months left between now and the 2018 elections.”

The concerns surrounding election infrastructure cybersecurity are two-pronged.

Officials maintain that Russia did not target voting machines, which are not connected to the internet. Many say the decentralized nature of the U.S. voting system makes it difficult for hackers to actually change a result.

Still, some security experts say that voting technologies are vulnerable to hacking and have called for election officials to swap out paperless direct-recording electronic voting machines for systems that yield an auditable paper ballot, to increase confidence.

Currently, five states still rely completely on paperless digital machines to tally votes, while several more have mixed infrastructure with some localities using the technology.

“In every single case where a U.S. voting machine has been tested in the laboratory and given rigorous security scrutiny, it has been found to have vulnerabilities that would allow a sophisticated adversary to manipulate votes,” said J. Alex Halderman, a University of Michigan computer science professor.

“All we need to do is make sure we have a physical safeguard, a physical fallback mechanism.”

Earlier this year, Virginia officials raced to phase out paperless machines less than two months before the November gubernatorial election, after security experts demonstrated the ease with which machines could be hacked at the DEFCON cybersecurity conference in Las Vegas over the summer.

Some have also raised concerns about the possibility of hackers targeting voter registration databases to change voter data — creating chaos on election day.

The Department of Homeland Security has stepped up to provide cyber hygiene testing and other services to states that request help as part of the critical infrastructure services, though some states face up to nine-month wait times for vulnerability screenings, officials told Politico.

Still, state officials, whose own legislatures are strapped for cash, contend that, without additional resources, election officials will fall short of securing their systems from cyber threats.

In mid-December, the National Association of Secretaries of State (NASS) pressed Congress to appropriate the remaining $396 million from the 2002 Help America Vote Act so states can update aging election systems to enhance security.

“We’re already behind the eight ball here and we need Congress to step up and move quickly,” said Vermont Secretary of State Jim Condos (D), the incoming president of NASS.

Still, legislating the issue at the federal level could prove tricky. Some state officials are wary of federal money coming with too many strings attached.

“Is the federal government then going to ask for oversight? Are they going to mandate we or do or don’t do certain things?” Reagan reflected. “If there are some strings, so be it — but what would that be? But we’re eager to have that conversation.”

The Secure Elections Act, for example, would offer grants to states to implement cybersecurity guidelines developed by an independent advisory panel.

At the same time, it is constructed to keep state officials happy by affirming their lead on administering federal elections. It also aims to quicken and improve information sharing between the Department of Homeland Security and relevant election officials, which has been a source of tension between states and federal officials over the past year.

Lawmakers had a long road to get to the bill.

The U.S. intelligence community released its Russian interference assessment in January, saying that Moscow aimed to sow discord, damage Hillary Clinton, and help elect President Trump.

For several months, the conversation in the media and Washington has largely focused on the special counsel investigation into whether Trump campaign associates coordinated with Moscow.

As Russian hacking efforts in the states came into full focus over the summer, some lawmakers began to seek legislative solutions to the problem.

Sens. Klobuchar and Lindsey Graham (R-S.C.) introduced an unsuccessful amendment to the annual defense policy bill to develop “best practices” for state election cybersecurity and provide grants to states to bolster security and update systems. Both lawmakers have signed on to support the latest legislation.

Less than a year out from the 2018 midterms, these efforts have yet to prove fruitful, though, spawning broad frustration.

Michael Chertoff, who served as Homeland Security Secretary under former President George W. Bush, described lawmakers’ and election officials’ “lackadaisical response” to election cyber risks as “both staggering and distressing” in a September Wall Street Journal op-ed. Chertoff pushed for federal cybersecurity standards for election technology.

Broadly, the efforts by the Republican-led Congress to respond to Russian interference have attracted criticism. Former acting CIA Director Michael Morell and former GOP Rep. Mike Rogers (Mich.) wrote in The Washington Post this week that, despite Congress levying additional sanctions against Moscow this summer, “the United States has failed to establish deterrence in the aftermath of Russia’s interference.”

Some worry it might be too late for any legislation to help prevent hacking efforts targeting states in 2018.

“Now we’re on the verge of another federal election,” said Virginia Department of Elections Commissioner Edgardo Cortés.

“At this point, additional resources from Congress — it’s going to be difficult to make them useful in time to have an impact on 2018.”